[Webkit-unassigned] [Bug 145275] New: CloudFuzz: *exploitable* Invalid memory access in WebCore::CachedResourceClientWalker

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 21 11:12:37 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=145275

            Bug ID: 145275
           Summary: CloudFuzz: *exploitable* Invalid memory access in
                    WebCore::CachedResourceClientWalker
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: koivisto at iki.fi

14/05/15 12:15 Drew Yao:
Opening the attached html file in a debug build of WebKit trunk(r184335) with libgmalloc causes a crash.

Process 66512 stopped
* thread #1: tid = 0xd418f9, 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1646d7ff0)
    frame #0: 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54
   51              while (m_index < size) {
   52                  CachedResourceClient* next = m_clientVector[m_index++];
   53                  if (m_clientSet.contains(next)) {
-> 54                      ASSERT_WITH_SECURITY_IMPLICATION(T::expectedType() == CachedResourceClient::expectedType() || next->resourceClientType() == T::expectedType());
   55                      return static_cast<T*>(next);
   56                  }
   57              }
(lldb) bt
* thread #1: tid = 0xd418f9, 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1646d7ff0)
  * frame #0: 0x00000001056a3566 WebCore`WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next(this=0x00007fff5fbfd510) + 166 at CachedResourceClientWalker.h:54
    frame #1: 0x00000001056a1822 WebCore`WebCore::CachedImage::notifyObservers(this=0x0000000164586b80, changeRect=0x0000000000000000) + 66 at CachedImage.cpp:314
    frame #2: 0x00000001056a2053 WebCore`WebCore::CachedImage::finishLoading(this=0x0000000164586b80, data=0x000000016c3fffc0) + 547 at CachedImage.cpp:436
    frame #3: 0x00000001072d5005 WebCore`WebCore::SubresourceLoader::didFinishLoading(this=0x00000001645a2b00, finishTime=0) + 517 at SubresourceLoader.cpp:371
    frame #4: 0x0000000106fcb455 WebCore`WebCore::ResourceLoader::didFinishLoading(this=0x00000001645a2b00, (null)=0x0000000164623fe0, finishTime=0) + 53 at ResourceLoader.cpp:562
    frame #5: 0x000000010758c03a WebCore`-[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:](self=0x0000000164633ff0, _cmd=0x00007fff9612ca40, connection=0x0000000164639ff0) + 186 at WebCoreResourceHandleAsDelegate.mm:260
    frame #6: 0x00007fff95b7a24d CFNetwork`__65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke + 69
    frame #7: 0x00007fff95b7a0b1 CFNetwork`-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 232
    frame #8: 0x00007fff95b79fb7 CFNetwork`-[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 48
    frame #9: 0x00007fff95b7af74 CFNetwork`___ZN27URLConnectionClient_Classic26_delegate_didFinishLoadingEU13block_pointerFvvE_block_invoke + 104
    frame #10: 0x00007fff95c2e703 CFNetwork`___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 94
    frame #11: 0x00007fff95acfcec CFNetwork`RunloopBlockContext::_invoke_block(void const*, void*) + 72
    frame #12: 0x00007fff87568664 CoreFoundation`CFArrayApplyFunction + 68
    frame #13: 0x00007fff95acfbad CFNetwork`RunloopBlockContext::perform() + 133
    frame #14: 0x00007fff95acf998 CFNetwork`MultiplexerSource::perform() + 282
    frame #15: 0x00007fff95acf7ba CFNetwork`MultiplexerSource::_perform(void*) + 72
    frame #16: 0x00007fff8759ca01 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #17: 0x00007fff8758eb8d CoreFoundation`__CFRunLoopDoSources0 + 269
    frame #18: 0x00007fff8758e1bf CoreFoundation`__CFRunLoopRun + 927
    frame #19: 0x00007fff8758dbd8 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #20: 0x00007fff919dda59 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 278
    frame #21: 0x0000000100002988 parseWebKit`main(argc=3, argv=0x00007fff5fbff5d8) + 4104 at parseWebKit.m:241
    frame #22: 0x00007fff890385c9 libdyld.dylib`start + 1
    frame #23: 0x00007fff890385c9 libdyld.dylib`start + 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150521/6e8e84ff/attachment-0001.html>

More information about the webkit-unassigned mailing list